Domain 1 - Cloud Concepts/Architecture/Design Flashcards
What are the characteristics of cloud computing?
- Ubiquity
- Convenient
- On Demand network access to shared pool of computing resources
- Self Service
What are the Service Models?
- Software as a Service
- Platform as a Service
- Infrastructure as a Service
What are the various Deployment Models?
- Public Cloud
- Private Cloud
- Community Cloud
- Hybrid Cloud
Defines who owns and controls the underlying infrastructure.
What are the key characteristics of Public Cloud?
-Available to anyone who purchases the services.
- Multi-tenant
Concerns: Privacy, Security, Vendor lock-in
What are the key characteristics of Private Cloud?
- Single-tenant - Available only to a single organization
- Maybe located on-prem or hosted by a CSP.
- Ideal for files and data that are too sensitive to put on a public cloud (perceived to be more secure).
- Secure wipe of data is possible
Downside: More expensive
What are the key characteristics of Community Cloud?
- Multi-tenant but limited to a group of companies or individuals (e.g. Universities or Governments)
- Maybe hosted by one organization with access provided to others.
What are the key characteristics of Hybrid Cloud?
- Normally a combination of private and public clouds in whatever way makes sense to the business.
- Example, primary system is in a private cloud with backups stored in a public cloud (OR) sensitive data in a private cloud, with less sensitive data (email) in public cloud.
- Orchestration becomes important to keep it manageable.
What are the various cloud computing roles?
- Cloud Service Customer
- Cloud Service Provider
- Cloud Service Partner
- Cloud Service Broker
Who is a Cloud Service Provider?
- Company or entity offering cloud services (e.g. AWS)
- May offer SaaS, PaaS and IaaS
Who is a Cloud Service Partner?
A third party offering cloud-based services using the associated CSP.
Introduces customers to the cloud more easily.
Example - Dropbox using its infra mostly and extending to AWS in regions where it does not have presence.
Who is a Cloud Service Broker?
Broker packages services in a manner that benefits customer making cloud adoption easier for customer. Three primary tasks:
- Aggregate services from multiple CSPs.
- Integration with existing infrastructure (cloud/non-cloud)
- Customization of services that a CSP may not do.
What are the characteristics of Cloud Computing per NIST definition?
- On Demand Service; near instantaneous; self service; automated; problem of Shadow IT.
- Broad network access (needed to access cloud); problem of insecure protocols (e.g. FTP, HTTP)
- Multi-tenancy; risk of one tenant’s actions impacting another
- Rapid Elasticity and Scalability; resources scale, pay-as-you-go; risks for CSPs who must plan enough capacity
- Resource Pooling; risks as hypervisor compromise could lead to exposure
- Measured service - metering usage
What are the building block technologies of cloud computing?
- Virtualization - hypervisor
- Storage - SANs and NASs; risks data deletion in shared storage
- Networking - use of internet to access cloud; data encryption in transit needed
- Databases - multiple types available
- Orchestration - organization use of multi-cloud, multiple SaaS; orchestration is the glue which keeps it all together; programming and automation; e.g. of AWS CloudFormation
What is the NIST Reference Architecture?
Defined in SP 500-292.
RAs enable interoperability of cloud services from different vendors
NIST RA is role based - 5 Roles
1. Cloud Consumer (can consume Saas, PaaS or IaaS services)
2. Cloud Provider
3. Cloud Auditor
4. Cloud Broker
5. Cloud Carrier (provider of connectivity to cloud)
Note: that it does not mention Cloud Partner; it also has an extra Cloud Auditor role.
What are cloud service capabilities?
A different way to look at cloud service models (SaaS/Paas/Iaas).
While SaaS/Paas/IaaS is defined by NIST, the cloud service capability types are defined by ISO/IEC.
There are three:
- Application Capability Types
- Platform Capability Types
- Infrastructure Capability Types
Under cloud service capability, what is Application Capability Type?
Ability to access an application from a variety of device types - e.g. thin client, web etc.
Responsibility of supporting various device types belongs to the application.
User gets a seamless experience
Under cloud service capability, what is Platform Capability Type?
A platform has the capability of deploying solutions through the cloud. e.g. AWS Elastic Beanstalk
User can modify the solution, but not the underlying infrastructure.
User has access to dev tools tailored to that cloud environment.
Under cloud service capability, what is Infrastructure Capability Type?
An infrastructure customer cannot control the underlying HW, but can control OS, installed tools, solutions, and provisioning of compute, storage, network etc.
Example, a typical EC2 customer.
What are key considerations in the use of multi-cloud?
- Interop - avoiding vendor lock-in
- Portability - move data and architectures between clouds; no loss of metadata
- Reversibility - measures the extent cloud services can be moved between clouds
- Availability (Service availability, elasticity, scalability)
- Security (data, application and infrastructure)
- Privacy
- Resiliency (BCP, DR)
- Performance (measured thru SLA)
- Governance (Policies, procedures, controls)
- Maintenance and Versioning
- Service Levels and SLAs (mostly standard for all but the largest customers who can negotiate).
- Auditability (verifies effectiveness of controls)
- Regulatory (governance needed to ensure requirements are met) - three types a) law b) contracts and c) standards
What are some of the transformative technologies made possible by the cloud?
- Machine Learning
- Artificial Intelligence
- Blockchain
- Internet of Things
- Containers
- Quantum Computing
What are the three types of access controls?
Physical, Administrative and Technical.
Physical - CSP’s domain. Protects access to data centers
Administrative- customer’s domain. Determines who can access the system, how access is logged etc.
Technical controls - shared. CSP Provides IAM system, customer is responsible for provisioning/deprov.
What is contextual-based security?
Level of access determined by identity, location, time of day, endpoint type, corporate network/external network, and other such factors.
What are the benefits of ingress/egress monitoring?
Ingress control - prevents unwanted external access attempts, allows only response to initiated requests
Egress control - prevents data loss; malware cannot reach C&C servers.
What’s the difference between Type I and Type II Hypervisors?
Type 1 - runs directly on the host’s hardware - e.g. Hyber-V, VMWare EXSi, or Cytrix Xen-server. Also called Bare Metal hypervisors. Difficult to setup.
Type 2 - runs on an operation system atop the OS. Easier to setup, but less secure. e.g. VMWare Workstation/Player, VirtualBox. Also called Host OS Hypervisor.
